Who’s Responsible for a Third-Party Hack?

When data is leaked, people are quick to point fingers at the responsible party. However, following a leak of private photos and videos from more than 200,000 of their users’ accounts, Snapchat has attempted to wash their hands of responsibility. Snapchat argues that their servers were never breached, and access to these photos was instead made possible by the security lapses of third-party apps. These apps leverage Snapchat APIs (without permission from Snapchat) to store photos taken by Snapchat users, but often have weaker security and user protection than the Snapchat native app. Although Snapchat has a point in that they can’t be 100% responsible for what unauthorized third-parties do with the Snapchat APIs, besides securing their APIs, Snapchat also owes their customers more visibility into the risks inherent in their current system: Snapchat users can only trust Snapchat as much as they can trust the folks they are communicating with. Those receiving risqué “disappearing” pictures have long had the ability to take screen captures of the pictures or use 3rd party apps that record the pictures and prevent them from disappearing. Snapchat should be more upfront with these types of warnings to their users… and hopefully prevent their customers from being exposed.

Last week also saw the resurfacing of Edward Snowden. Snowden who made classified information from the National Security Administration public last year, participated in a video interview focused on data privacy. Dropbox, the cloud storage service, also saw their users become victims of a third-party hack. Calling the service “hostile to privacy,” Snowden noted that Dropbox only encrypts user data during transfer and when being stored on servers. This means that user data is at a high security risk at other times, and especially when using the Dropbox app. This is specially concerning given the Appthority Summer App Reputation Report found that thirty-one percent of the top free Android apps and sixteen percent of the top free iOS apps connect to cloud file storage services like Dropbox, making it one of the top ten risk app behaviors for the enterprise. To protect enterprise data from ending up in the wrong hands, the Appthority Service identifies apps that violate cloud-based storage precautions.

If the security of these apps that are storing images from Snapchat or documents on Dropbox is being compromised, it begs the questions, what other data is being collected by apps, and who will be able to hack their way into possession of it? The risk of enterprise data being collected by an unapproved app on a cell phone in a BYOD environment makes it impossible to feel completely confident that it won’t be at risk for unauthorized sharing during a security breach as well.

Appthority understands how alarming this can be, and our app reputation reports offer close analysis on which apps are most at risk in granting unauthorized access to third-party cloud storage service. Third-party apps may be fun or useful, but with each one that is downloaded onto a mobile device, the question of whether it will promote a safe and secure mobile workforce must be asked.

Where do you think responsibility lies in third-party app attacks? Share your thoughts with the Appthority team on Twitter at @Appthority.